Bloodborne pathogen training: what OSHA actually requires

OSHA 29 CFR 1910.1030 requires annual BBP training for all at-risk employees. Learn exactly what must be covered, who qualifies as a trainer, and what records to keep.

SafetyFolio Team
25 min read
In This Article

Last updated 2026-07-09

Healthcare worker in gloves disposing syringe into sharps container for bloodborne pathogen safety
Healthcare worker in gloves disposing syringe into sharps container for bloodborne pathogen safety

TL;DR

OSHA's Bloodborne Pathogens standard (29 CFR 1910.1030) requires annual training for any employee with reasonably anticipated exposure to blood or other potentially infectious materials. Training has to cover 14 specific topics, happen on paid work time, come from a knowledgeable person, and include live question-and-answer access. Keep training records three years; keep medical records for employment plus 30 years.

What does OSHA's bloodborne pathogen standard actually require?

If your employees could reasonably touch blood or other potentially infectious materials (OPIM) on the job, you owe them four things: a written Exposure Control Plan, free hepatitis B vaccination, access to post-exposure evaluation, and annual training. All four. There's no pick-and-choose version.

OSHA put these rules in 29 CFR 1910.1030, which took effect in 1992 and got a major update in 2001 after the Needlestick Safety and Prevention Act [1]. The standard covers general industry. Construction and agriculture run under separate rules, but healthcare, emergency response, tattooing, funeral services, and plenty of school and daycare settings all sit squarely under 1910.1030.

The standard defines "occupational exposure" as "reasonably anticipated skin, eye, mucous membrane, or parenteral contact with blood or other potentially infectious materials that may result from the performance of an employee's duties" [1]. Read that phrase "reasonably anticipated" twice. You don't need a prior incident on the books. If the task creates a believable exposure path, the standard applies.

OPIM goes well past blood. It includes semen, vaginal secretions, cerebrospinal fluid, synovial fluid, pleural fluid, pericardial fluid, peritoneal fluid, amniotic fluid, saliva in dental procedures, and any body fluid visibly contaminated with blood. It also covers unfixed human tissue or organs, and HIV- or HBV-containing cell cultures [1]. Sweat, tears, feces, nasal secretions, sputum, urine, and vomit are not OPIM unless there's visible blood in them.

Here's the practical trigger question for a small business. Does anyone on your payroll give first aid, handle sharps, clean up bodily fluids, or work in a clinical or lab setting? If yes, you need a program.

Who has to take bloodborne pathogen training?

Any employee with occupational exposure has to be trained. There's no carve-out for small employers or part-timers. One person in a ten-person landscaping crew who gives first aid to coworkers counts as an exposed worker and has to be trained [2].

OSHA has said this plainly in its letters of interpretation. Employers who designate employees to render first aid as part of their duties, even as a side task, must cover those employees under the BBP standard [2]. And if nobody is formally designated but somebody would obviously step in during an emergency, OSHA expects you to find that person and train them.

Who usually lands in scope:

SettingAt-Risk Roles
Healthcare (hospitals, clinics, dental)Nurses, MAs, phlebotomists, housekeeping, lab techs
Emergency servicesParamedics, EMTs, firefighters, law enforcement first responders
Schools and child careDesignated first-aid providers, school nurses
Tattoo and body art studiosArtists, piercers
Funeral homesEmbalmers, funeral directors
Research labsScientists handling human-derived specimens
Correctional facilitiesOfficers with first-aid duties
Any workplace with a first-aid designeeThe person whose job includes rendering first aid

Administrative staff with no exposure path aren't required to train under 1910.1030. You can train them anyway if you want. It costs nothing and hurts no one, but it doesn't count as covering the people who actually need it.

What specific topics must bloodborne pathogen training cover?

This is where employers trip. 29 CFR 1910.1030(g)(2)(vii) spells out the required training elements, and there are 14 of them. Handing someone a pamphlet doesn't cut it. Here's the full list the standard makes you cover [1]:

1. An accessible copy of the regulatory text of 1910.1030 and an explanation of its contents. 2. A general explanation of the epidemiology and symptoms of bloodborne diseases. 3. An explanation of the modes of transmission of bloodborne pathogens. 4. An explanation of the employer's written Exposure Control Plan and how to get a copy. 5. An explanation of how to recognize tasks and activities that may involve exposure to blood and OPIM. 6. An explanation of the use and limits of methods that prevent or reduce exposure, including engineering controls, work practice controls, and PPE. 7. Information on the types, proper use, location, removal, handling, decontamination, and disposal of PPE. 8. An explanation of the basis for choosing particular PPE. 9. Information on the hepatitis B vaccine: its efficacy, safety, method of administration, benefits, and that it's offered free of charge. 10. Information on what to do and who to contact in an emergency involving blood or OPIM. 11. An explanation of the procedure to follow if an exposure incident occurs, including how to report it and the medical follow-up available. 12. Information on the post-exposure evaluation and follow-up the employer has to provide. 13. An explanation of the signs, labels, and color coding the standard requires. 14. An opportunity for interactive questions and answers with the person conducting the training.

That last one carries more weight than most employers think. Item 14 means a pre-recorded video by itself doesn't satisfy the standard unless there's a way to ask a real person questions in real time. OSHA's position, stated in more than one letter of interpretation, is that a live trainer or a live follow-up session has to be available [2]. A self-paced online course with zero human access fails on its own.

Training has to be free to the employee and delivered during normal working hours [1]. No unpaid lunch-hour webinars.

Most common OSHA bloodborne pathogen citation categories Approximate share of cited violation types under 29 CFR 1910.1030 in general industry inspections Exposure Control Plan missing or… 38 Training requirements not met 27 Hepatitis B vaccination not offer… 15 Engineering controls / sharps saf… 11 Biohazard labeling violations 9 Source: OSHA Data and Statistics, OSHA.gov (citation data, recent inspection cycles)

How often is bloodborne pathogen training required?

Annual. Every year. 29 CFR 1910.1030(g)(2)(ii) requires training at the time of initial assignment to tasks where occupational exposure may occur, and at least annually after that [1].

"Annually" means within 12 months of the last training date, not January to January. Train someone on March 15 last year and their renewal is due by March 15 this year.

More training is required whenever tasks or procedures change in a way that affects exposure, or when you bring in new engineering controls. That extra training only has to cover the new material. You don't repeat the whole curriculum [1].

New hires get trained before they touch any task with exposure potential. Waiting for the next scheduled group session isn't allowed.

You can skip retraining existing staff on topics they've already mastered if you can prove competency, but almost nobody bothers. Running the full annual curriculum is easier to document than arguing competency to an inspector.

Who is qualified to deliver bloodborne pathogen training?

The standard says training has to come from someone "knowledgeable in the subject matter covered" as it relates to your workplace [1]. OSHA doesn't demand a specific license, degree, or third-party certificate for the trainer.

In plain terms: a registered nurse, an infection control officer, a safety professional, or a seasoned EMS trainer all qualify. A manager who watched a YouTube video does not.

OSHA's 1993 letter of interpretation on this point said the trainer needs relevant expertise and has to be able to answer employee questions about their specific workplace conditions [2]. General bloodborne pathogen knowledge is the floor, not the ceiling. The trainer has to understand your actual tasks and how the exposure risks show up in them.

Third-party online programs are everywhere and can meet the content requirements just fine. But the interactive Q&A rule means the vendor has to give your people access to a qualified person for questions, or you supplement the online content with a live session yourself. Before you buy anything, ask the vendor point-blank how they handle item 14.

If you're building a full safety program from scratch, OSHA training requirements across multiple standards can feel like a mountain. Most aren't as detailed as the BBP standard. They still stack up fast.

What records do you have to keep, and for how long?

Two separate recordkeeping jobs live inside 29 CFR 1910.1030, and they run on very different clocks.

Training records come first. For every session you keep the date, the contents or a summary, the names and qualifications of the trainers, and the names and job titles of everyone who attended. Hold those for three years from the training date [1].

Medical records are the second job. If an employee has an exposure incident and gets a medical evaluation, you keep those confidential records for the duration of employment plus 30 years [1]. They follow OSHA's access rule: employees can see their own records, and you can't hand them to anyone else without written consent from the employee.

Inspectors ask for both during a worksite visit. Missing training records rank among the most common BBP citations, because employers often train out loud and then skip the sign-in sheet or the trainer credentials.

Best practice is one binder or digital folder per employee: initial training date, each annual renewal date, trainer name and qualifications, and a signature. If OSHA ever cites you for a BBP problem, clean records are your best defense. Sometimes your only one.

Filing an incident report after an exposure event is separate from medical recordkeeping under 1910.1030, though a serious exposure can trigger both.

What does a written Exposure Control Plan need to include?

The Exposure Control Plan (ECP) is the spine of your BBP compliance. 29 CFR 1910.1030(c) requires every employer with exposed employees to prepare a written ECP [1]. The plan has to include three things:

1. An exposure determination that lists job classifications and specific tasks involving occupational exposure. You build this list without regard to whether employees wear PPE. 2. The schedule and method for putting every element of the standard into practice: engineering controls, PPE, housekeeping, hepatitis B vaccination, post-exposure evaluation and follow-up, hazard communication, and recordkeeping. 3. A procedure for evaluating the circumstances around exposure incidents.

The ECP has to be accessible to employees at all times and reviewed and updated at least annually, or whenever tasks change or you add positions [1].

The 2001 Needlestick Safety and Prevention Act amendment added a piece a lot of older plans miss: the ECP has to explain how you identify and select safer needle devices, and you have to bring frontline non-managerial employees into that evaluation [1]. If your plan hasn't been touched since 2000, this is probably the gap.

For a small business with no safety department, writing the ECP from a blank page is the hardest part of BBP compliance. SafetyFolio's program generator produces a compliant ECP template tailored to your industry and job titles in about 15 minutes, which you then review and sign off on. It doesn't replace your judgment. It just gives you something real to edit instead of a cursor blinking on a white screen.

A site-specific written plan shows up in other standards too. If you're building the whole program, the hazard communication standard is another one that demands a written plan of its own.

What are the hepatitis B vaccination requirements under OSHA?

You have to offer hepatitis B vaccination to every employee with occupational exposure, free, at a reasonable time and place, supervised by a licensed healthcare professional, and in line with current U.S. Public Health Service recommendations [1].

That offer has to happen within 10 working days of an employee's initial assignment to tasks with exposure potential. The employee can turn it down, but they sign a declination form using the exact language in Appendix A of the standard: "I understand that due to my occupational exposure to blood or other potentially infectious materials I may be at risk of acquiring hepatitis B virus (HBV) infection. I have been given the opportunity to be vaccinated with hepatitis B vaccine, at no charge to myself. However, I decline hepatitis B vaccination at this time..." [1].

If someone declines now and changes their mind later, you still provide the vaccine free of charge. The door stays open.

Employees who already completed the full series, who show immunity through antibody testing, or who can't take the vaccine for medical reasons are exempt from the requirement.

Hepatitis B vaccine is a three-shot series. Through an occupational health clinic, the series runs roughly $150 to $250 per employee, though the number swings a lot by region and provider. OSHA doesn't reimburse a dime of it. It's a cost of doing business in industries with exposure.

What happens after an occupational exposure incident?

An exposure incident is a specific eye, mouth, other mucous membrane, non-intact skin, or parenteral contact with blood or OPIM [1]. The moment one happens, the standard kicks in.

You have to make a confidential medical evaluation and follow-up available to the exposed employee at no cost. That evaluation includes:

  • Documentation of the route of exposure and the circumstances.
  • Identification and documentation of the source individual (when feasible and not barred by law) and testing of the source individual's blood.
  • Collection and testing of the exposed employee's blood, after consent.
  • Post-exposure prophylaxis when medically indicated.
  • Counseling.
  • Evaluation of reported illnesses.

The healthcare professional who does the evaluation gives you a written opinion, and that opinion is deliberately narrow. It can only say whether hepatitis B vaccination was indicated and whether the employee was told about the evaluation results and any condition from the exposure that needs more treatment. Everything else stays confidential [1].

Time is the whole game here. HIV post-exposure prophylaxis works best when it starts within 72 hours of exposure, and CDC guidance is the clinical basis your occupational health provider will use [3]. The CDC keeps the reference material on post-exposure management through its bloodborne pathogens topic pages.

Your employees need to know immediately who to call and where to go. Not eventually. Not after they find the binder. That's exactly why the ECP has to name the contacts and lay out the procedure in plain language.

What are the OSHA penalties for bloodborne pathogen violations?

BBP citations under 29 CFR 1910.1030 are common and they're expensive. It's one of the most frequently cited standards in healthcare inspections.

Here's OSHA's penalty structure as of 2024 [4]:

Violation TypeMaximum Penalty Per Violation
Serious$16,550
Other-than-serious$16,550
Willful or repeated$165,514

OSHA adjusts these for inflation every year. The figures above come from the limits set under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, updated through 2024 [4].

In real inspections, OSHA runs a penalty calculation that weighs the gravity of the violation, the employer's size, good faith, and history. A small employer with a first violation and a believable correction plan usually lands well under the maximum. Willful violations are a different animal, especially where employees have actually been hurt. Those have produced six-figure citations.

The BBP citations that show up most often: no written ECP, missing or outdated training records, failure to offer the hepatitis B vaccine, failure to use engineering controls like safety-engineered sharps, and improper labeling of biohazardous waste [9].

State-plan states run their own penalty schedules, which have to be at least as effective as the federal standard. California's Cal/OSHA is a good example. It enforces a separate BBP standard (8 CCR 5193) that mirrors 1910.1030 but carries its own enforcement history [6].

Does online bloodborne pathogen training satisfy OSHA's requirement?

Yes, with one catch. Online training can meet the content requirements of 29 CFR 1910.1030(g)(2)(vii) as long as it covers all 14 elements. But the interactive Q&A requirement in item 14 means a purely self-paced video course with no live human access does not fully satisfy the standard on its own [2].

OSHA has addressed this in its letters of interpretation. Distance learning and computer-based training are permissible methods, but the employer has to make sure a qualified trainer is reachable to answer questions specific to the workplace, through a live follow-up session, direct phone or email access to the trainer, or another interactive mechanism [2].

The common workaround: use the online course for content delivery, then hold a short 15 to 20 minute group Q&A with a qualified staff member to close out item 14. Document that session. Date, who ran it, who attended, and a note that questions were invited and answered.

For OSHA training in general, the same logic holds across standards. Online delivery is almost always fine for content, but some standards demand hands-on competency verification that no video can stand in for.

What are the most common BBP training mistakes small businesses make?

The standard has been on the books for more than 30 years, and the same handful of mistakes keep landing in OSHA citations.

No written Exposure Control Plan, or one copied from a template and never customized. If your ECP lists "phlebotomists" and you run a tattoo studio, that's a problem waiting for an inspector. The plan has to describe your actual operation.

Training records with no trainer qualifications. A sign-in sheet listing names alone doesn't satisfy the standard. You need the trainer's name and the basis for their qualifications too.

Forgetting the annual cycle. Employers set up a program, run it once, and never schedule the renewal. The inspection will ask for the most recent training date for every employee, and "we did it a couple years back" is not an answer.

Using video-only training and calling item 14 done. See the section above. This is a documented, cited violation.

Not updating the ECP after switching to safety-engineered sharps or other new controls. The plan has to reflect the controls you actually use today.

Offering the hepatitis B vaccine but never documenting it. The declination form has to be on file for anyone who refused. No form means OSHA has no way to confirm you ever made the offer, so it reads as a failure to offer.

Missing employees who qualify. Small shops train the clinical staff and then forget the person who handles bloodied wound dressings in the back office, or the office manager who got named the workplace first-aid responder two years ago.

Getting your OSHA training program right across every standard you're subject to is a scheduling and documentation problem as much as a knowledge one.

How does the BBP standard interact with other OSHA requirements?

The bloodborne pathogen standard doesn't run alone. Several other OSHA rules stack on top of it or run right beside it.

PPE rules (29 CFR 1910.132 and 1910.138) require you to assess hazards and provide the right PPE. For BBP exposure that means gloves, gowns, face protection, and eye protection matched to the task. PPE has to be free, kept in reachable spots, and replaced when needed [7].

Medical waste is its own animal. State environmental regulations and the federal RCRA framework govern disposal of regulated medical waste, and they vary a lot by state. OSHA's labeling requirements for biohazardous materials (the fluorescent orange or orange-red biohazard label) under 1910.1030(g)(1) are a separate obligation from state disposal rules [1].

OSHA's recordkeeping rule (29 CFR 1904) requires you to log needlestick and sharps injuries on the OSHA 300 Log without revealing the employee's identity [8]. Any needlestick or sharps injury involving blood or OPIM is recordable. There's no days-away threshold. The cut itself is the recordable event.

An estimated 385,000 needlestick and sharps injuries happen every year among U.S. healthcare workers, according to CDC/NIOSH [10]. That number is why the sharps provisions of the standard exist at all.

In a state-plan state, confirm your state adopted 1910.1030 or an equivalent. All 26 state-plan jurisdictions have BBP standards at least as stringent as the federal version, and some add requirements. California's 8 CCR 5193 [6] and Washington's WAC 296-823 [12] are two of the more detailed state versions.

Seeing how all these pieces fit is a big part of what OSHA basics covers at the program level.

Frequently asked questions

Does OSHA's bloodborne pathogen standard apply to small businesses with fewer than 10 employees?

Yes. 29 CFR 1910.1030 has no small-employer exemption. Any employer with even one employee who has occupational exposure to blood or OPIM has to comply with the full standard: written Exposure Control Plan, annual training, hepatitis B vaccination offer, and recordkeeping. Company size affects penalty calculations, not whether the standard applies to you.

How long does OSHA bloodborne pathogen training take?

The standard sets no minimum duration. It only requires that all 14 content elements get covered and that interactive Q&A is available. Most formal programs run 60 to 90 minutes for initial training and 30 to 60 minutes for annual refreshers. Shorter courses may skip required elements. Longer isn't automatically better if the content is just padded.

Can an employer self-administer bloodborne pathogen training, or does it have to be a certified third party?

An employer can deliver training in-house. There's no requirement for a third-party provider or any specific certification. The trainer has to be knowledgeable in the subject matter as it relates to your workplace and able to answer questions about actual job tasks. A nurse, safety officer, or experienced clinician on staff qualifies. A manager with no relevant background does not.

What is the difference between bloodborne pathogen training and BBP certification?

OSHA doesn't issue or require a "BBP certification." The standard requires training, not a certificate. Third-party vendors hand out completion certificates as proof someone attended their course, but those carry no official OSHA recognition. What matters to OSHA is your training records showing dates, content, trainer qualifications, and employee names, not a wallet card from a vendor.

Does a tattoo shop need OSHA bloodborne pathogen training?

Yes. Tattoo and body piercing artists have direct occupational exposure to blood through needlework. OSHA has cited tattoo studios under 29 CFR 1910.1030. The full standard applies: written Exposure Control Plan, annual training covering all required elements, hepatitis B vaccination offer, engineering controls such as safety-engineered needles where applicable, and proper biohazardous waste disposal.

What pathogens does OSHA bloodborne pathogen training need to cover?

The standard specifically addresses hepatitis B virus (HBV), hepatitis C virus (HCV), and HIV. Training has to explain the epidemiology and symptoms of bloodborne diseases and the modes of transmission. Many trainers add other bloodborne pathogens such as HTLV or syphilis for context, but the standard's requirements center on HBV, HCV, and HIV as the primary occupational hazards.

What should I do if an employee refuses bloodborne pathogen training?

Document the refusal in writing and explain that training is required by OSHA and is a condition of their assigned duties. If they keep refusing, you may need to reassign them away from tasks with occupational exposure or take disciplinary action consistent with your policies. Letting an untrained employee stay in an exposed role puts both the worker and you at legal risk.

Are volunteer emergency responders covered by OSHA's BBP standard?

Volunteers are generally not covered, because OSHA's jurisdiction applies to employer-employee relationships. That said, some state-plan states extend coverage to certain volunteers, and nonprofit or government-run volunteer programs may face other regulatory requirements. Paid first responders, regardless of organization type, are covered under the federal standard as long as they are employees.

How do I document that I offered an employee the hepatitis B vaccine and they declined?

Use the exact declination statement language in Appendix A of 29 CFR 1910.1030. The employee signs and dates that statement. Keep the signed form in the employee's confidential medical file for the duration of employment plus 30 years. If no signed form exists, an OSHA inspector will treat it as a failure to offer the vaccine, not a voluntary declination.

What PPE is required for bloodborne pathogen exposure?

The standard requires PPE matched to the anticipated exposure: gloves for any hand contact with blood or OPIM, gowns or lab coats when splatter is possible, face shields or masks plus eye protection when splashing is likely, and mouthpieces or resuscitation bags instead of direct mouth-to-mouth contact. All PPE has to be free to the employee and available in accessible locations.

Do I need a new Exposure Control Plan if I add a new employee with occupational exposure?

Not necessarily a whole new plan, but you have to update the exposure determination section to include the new position or job title if it isn't already listed. The ECP gets reviewed and updated at least annually and whenever tasks change or positions are added. Adding an employee to a role already on the list doesn't require a plan revision, only that the new person is trained and offered vaccination.

What is the OSHA requirement for labeling biohazardous materials?

29 CFR 1910.1030(g)(1) requires fluorescent orange or orange-red warning labels bearing the biohazard symbol and the word BIOHAZARD on containers of regulated waste, refrigerators and freezers holding blood or OPIM, and other containers used to store or transport blood or OPIM. Red bags or red containers may substitute for labels. Labels attach as close as feasible to the container by string, wire, adhesive, or another method.

Can bloodborne pathogen training be done in a language other than English?

Yes, and where employees aren't fluent in English, training in their primary language is the only real way to meet the requirement that they understand the material. Both the BBP standard and OSHA's general duty clause require training that's comprehensible to the workers receiving it. Several OSHA-authorized trainers offer BBP courses in Spanish and other languages.

How soon after starting a job must a new employee be trained on bloodborne pathogens?

Before they perform any task involving potential exposure. 29 CFR 1910.1030(g)(2)(ii) requires training at the time of initial assignment to tasks where occupational exposure may occur. You can't let a new hire start exposed work and wait for the next scheduled group session. The hepatitis B vaccine offer has its own clock: within 10 working days of that assignment.

Sources

  1. OSHA, 29 CFR 1910.1030 Bloodborne Pathogens standard (full regulatory text): Full requirements for training content, ECP, vaccination, post-exposure follow-up, recordkeeping, and labeling under the BBP standard
  2. OSHA, Letters of Interpretation on Bloodborne Pathogens: OSHA interpretations confirming first-aid designees are covered, trainer qualifications, and interactive Q&A requirement for online training
  3. CDC/NIOSH, Bloodborne Infectious Diseases topic page: CDC guidance on post-exposure management and prophylaxis timelines for bloodborne pathogen exposure
  4. OSHA, Penalties page (civil penalty amounts adjusted for inflation through 2024): Maximum penalties: $16,550 per serious violation, $165,514 per willful or repeated violation, as of 2024
  5. California DIR/Cal-OSHA, Title 8 CCR Section 5193 Bloodborne Pathogens: California's state-plan BBP standard mirrors federal 1910.1030 but has its own enforcement history and penalty structure
  6. OSHA, 29 CFR 1910.132 General PPE Requirements: PPE standards requiring employer-provided gloves, gowns, and face protection for bloodborne pathogen exposure tasks
  7. OSHA, 29 CFR 1904.8 Recording Criteria for Needlestick and Sharps Injuries: Needlestick and sharps injuries involving blood or OPIM are recordable on the OSHA 300 Log without identity disclosure
  8. OSHA, Bloodborne Pathogens and Needlestick Prevention (safety and health topics page): Overview of the standard, common citation categories, enforcement history, and guidance documents for BBP compliance
  9. CDC/NIOSH, Stop Sticks Campaign - Sharps Injury Data: An estimated 385,000 needlestick and sharps-related injuries occur annually among U.S. healthcare workers
  10. U.S. Congress, Needlestick Safety and Prevention Act (Public Law 106-430, 2000): 2001 amendment to 1910.1030 requiring sharps injury log, frontline worker involvement in device selection, and safer needle device requirements
  11. Washington State L&I, WAC 296-823 Bloodborne Pathogens: Washington State's BBP standard as an example of a state-plan rule at least as effective as federal 1910.1030

Disclaimer: SafetyFolio is a safety documentation tool, not a safety consulting service. It does not replace professional safety expertise. Consult qualified safety professionals for complex or high-hazard operations.

SafetyFolio Team

SafetyFolio provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

SafetyFolio
Build My Program